A New ransomware family called “Bad Rabbit” rapidly spreading across the Eastern European countries affecting government and private agencies including Russia, Ukraine, Bulgaria, and Turkey.

Bad Rabbit is a previously unknown ransomware family and it is distributing mostly via drive-by attacks using Adobe Flash player and no Exploit were used by this Bad Rabbit ransomware.

Drive-by Attacks cybercriminals look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script may install malware directly onto the computer of someone who visits the site.

This ransomware dropper is distributed from fake Adobe Flash players installer “hxxp://1dnscontrol[.]com/flash_install.php” and victims are redirected to this malware web resource from legitimate news websites.

Adobe Flash Player based Malicious variant install_flash_player.exe need to manually installed by Victim.

Kaspersky and EsetResearcherssaid, “Our researchers have detected a number of compromised websites, all news or media sites,” the Russian security company, now embroiled in controversy, writes on its blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr.”

Bad Rabbit also capable of scheduling talk with the name of dragon, as the malware makes reference to Daenerys Targaryen’s dragons and Grey Worm,

BadRabbit creates two scheduled tasks, named after the dragons from Game of Thrones. Also a reference to GrayWorm, the skin disease in GoT. pic.twitter.com/BfQxGrMwC0

Based on analysis by ESET, Emsisoft, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to use servers and workstations on the same network via SMB and WebDAV.

After installing the install_flash_player.exe variant by victims then Finally computer will be Locked by Bad Rabbit and it will showing the following Ransom note.

Bad Rabbit Infected Machine

Later, Victims will be demanded to pay 0.05 Bitcoin to get decrypt key at the same time payment deadline time count also running in the Screen with a running timer which counting down toward an hour when the price goes up.

Bad Rabbit also can able to Encrypt the following file Extension which is presented to the victim’s computer.

According to ESET report, Following countries, are the most infected by Bad Rabbit Ransomware.

Russia: 65%

Ukraine: 12.2%

Bulgaria: 10.2%

Turkey: 6.4%

Japan: 3.8%

Other: 2.4%

It’s interesting to note that all these big companies were all hit at the same time. It is possible that the group already had the foot inside their network and launched the watering hole attack at the same time as a decoy. ESET said.

Bad Rabbit Ransom Notes

Oops! Your files have been encrypted. If you see this text, your files are no longer accessible.
You might have been looking for a way to recover your files.
Don't waste your time. No one will be able to recover them without our
decryption service. We guarantee that you can recover all your files safely. All you
need to do is submit the payment and get the decryption password. Visit our web service at caforssztxqzf2nm.onion Your personal installation key#1:

Subscribe to PHI via Email

Enter your email address to subscribe to PHI and receive notifications of new posts by email.

Join 1,478 other subscribers

Email Address

PROFESSIONAL HACKERS INDIA

We are proud to offer premier information security updates, IT updates, Core Tools And Techniques across the globe. Our mission is to make the internet more secure, more trendy, more aware and more reliable.